eland
eland copied to clipboard
elastic
Migrate to Wolfi base Docker image
The main motivation is to reduce the number of CVEs. Using trivy, I'm seeing 863 system vulnerabilities in 8.15.0, which is based on Debian 12.
docker.elastic.co/eland/eland:8.15.0 (debian 12.6)
==================================================
Total: 863 (UNKNOWN: 1, LOW: 261, MEDIUM: 517, HIGH: 78, CRITICAL: 6)
With Wolfi, those CVEs are all gone:
eland (chainguard 20230214)
===========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Additionally, the ARM image went from 1.66GB to 1GB (I don't have Linux x86-64 numbers).
However, we still have the following CVEs about our immediate dependencies. Fixing them is future work:
Python (python-pkg)
===================
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 1)
┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ scikit-learn (METADATA) │ CVE-2024-5206 │ MEDIUM │ fixed │ 1.3.2 │ 1.5.0 │ scikit-learn: Possible sensitive data leak │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-5206 │
├─────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ torch (METADATA) │ CVE-2024-31580 │ HIGH │ │ 2.1.2 │ 2.2.0 │ PyTorch before v2.2.0 was discovered to contain a heap │
│ │ │ │ │ │ │ buffer overflow ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-31580 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-31583 │ │ │ │ │ Pytorch before version v2.2.0 was discovered to contain a │
│ │ │ │ │ │ │ use-after-fr ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-31583 │
├─────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ transformers (METADATA) │ CVE-2023-6730 │ CRITICAL │ │ 4.35.2 │ 4.36.0 │ transformers has a Deserialization of Untrusted Data │
│ │ │ │ │ │ │ vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6730 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-7018 │ HIGH │ │ │ │ transformers has a Deserialization of Untrusted Data │
│ │ │ │ │ │ │ vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-7018 │
│ ├────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-3568 │ LOW │ │ │ 4.38.0 │ Transformers Deserialization of Untrusted Data vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3568 │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
I don't expect any issues with third party model tracing with this new image but i'll do some tests just to make sure. Please hold from merging until I'm done.
The CVEs in torch and transformers will be resolved by merging the PyTorch upgrade PR https://github.com/elastic/eland/pull/718/files which will be done once Elasticsearch 8.15.1 is released.
